SC Lawmaker: State Needs To Step Up Cybersecurity

South Carolina lawmaker Katie Arrington says she is pleased the administration of governor Henry McMaster is taking steps to address the Palmetto State’s cybersecurity vulnerabilities.

Having said that, she wants McMaster (and other state leaders) to take even bigger, bolder steps … and to make sure those steps are moving South Carolina in the right direction when it comes to protecting critical information infrastructure.

Arrington, a freshman lawmaker from Summerville, S.C., has been making waves at the State House this year with her various reform proposals – prompting talk of her possibly becoming a candidate for the U.S. Congress.

Arrington pulled off a major upset last spring when she defeated former governor Nikki Haley’s preferred candidate, Carroll Duncan, in a Republican primary election for S.C. House District 94 (map here).

We’ve tried on several occasions to get Arrington to share her thoughts with us on a possible congressional bid, but whenever we get her on the phone she demurs – preferring to address issues associated with her current job.

“Take cybersecurity,” she told us. “We need to assess the business systems in this state and the security they are supposed to be providing like a business would – not like a government would.”

According to Arrington, South Carolina remains exceedingly vulnerable to cyberattacks like the one that rocked the state’s Department of Revenue (SCDOR) five years ago. And she’s not sure McMaster’s latest attempt to address these vulnerabilities – last week’s creation of a new cybersecurity panel – is sufficient to meet those threats.

Her answer? Creating a cabinet-level agency – tentatively christened the “department of information systems and security” – led by a state chief information officer (CIO) who is directly accountable to the governor.

Arrington says the creation of such a position would not only empower the executive branch with a true cybersecurity czar – it could ultimately wind up saving taxpayers money in the long term.

“Our tax dollars are not the biggest issue – how we spend them is the problem,” she said. “We need a cultural shift not just in state government but in federal government as well.”

Arrington says her proposal – which she will submit in the form of draft legislation later this year – would move all information technology functions from the S.C. Department of Administration (SCDOA) into the new CIO’s office.

“This new cabinet level position would work directly with the governor and streamline these functions so that whenever agencies want to buy software there is an audit done with teeth in it – to say hey, ‘you may want it but you don’t need it,’” she said. “We need to get IT spending under control in this state and make sure taxpayers aren’t paying for unnecessary software at a time when there are real vulnerabilities that need to be addressed.”

According to Arrington, government’s role should be crafting legislation and policy that encourages agencies to engage cutting edge service-level contracts “not to own hardware that becomes obsolete the moment you buy it.”

“To save real money we need to become more efficient in using service-level contracts to stimulate small business growth with local and state-based firms,” she said. “That way the burden of training and updating doesn’t fall on the taxpayers.”

“A cabinet-level CIO position could really get this done,” she said.

Several state leaders have told us they are concerned critical data systems – including social security numbers, voter lists, health records and other sensitive information – are not secure under the current information technology framework.

These leaders say they are receptive to Arrington’s proposal, believing a cabinet level agency is necessary to set standards and protocols and roll out these solutions on an agency-by-agency basis.

We look forward to seeing what Arrington files. Data security is obviously a core function of government and we believe it should be funded accordingly.